ci: harden container images and bump Python to 3.13

Remove curl/libcurl from runtime image (unused), bump Python
3.12 to 3.13 to resolve CPE CVEs, and upgrade confluent-kafka,
msgpack, and peewee for 3.13 compatibility.

OBS-1999

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: aarthy-dk

deploy/docker/observability-be.dockerfile

@@ -1,6 +1,6 @@
 # DEV NOTE:  YOU MUST RUN `docker build` FROM THE TOP-LEVEL OF `observability-be` AND POINT TO THIS FILE.
 ARG BASE_IMAGE_URL
-FROM ${BASE_IMAGE_URL}python:3.12.13-alpine3.23 AS build-image
+FROM ${BASE_IMAGE_URL}python:3.13-alpine3.23 AS build-image
 LABEL maintainer="DataKitchen"
 
 RUN apk update && apk upgrade && apk add --no-cache \
@@ -21,7 +21,7 @@ RUN python3 -O -m pip install /tmp/dk --prefix=/dk
 
 # Copy and build the actual application
 COPY . /tmp/dk/
-ENV PYTHONPATH=/dk/lib/python3.12/site-packages
+ENV PYTHONPATH=/dk/lib/python3.13/site-packages
 #    --no-deps: The previous pip layer will have already installed the dependencies. This
 #               will disable doing a second dependency resolution check.
 #           -O: Strips asserts from the code which removes some unnecessary codepaths resulting in a small
@@ -30,9 +30,10 @@ ENV PYTHONPATH=/dk/lib/python3.12/site-packages
 # --prefix=/dk: The destination installation environment folder
 RUN python3 -O -m pip install --no-deps /tmp/dk --prefix=/dk
 
-FROM ${BASE_IMAGE_URL}python:3.12.13-alpine3.23 AS runtime-image
+FROM ${BASE_IMAGE_URL}python:3.13-alpine3.23 AS runtime-image
 
 RUN apk update && apk upgrade && apk add --no-cache librdkafka=2.12.1-r0 \
+    && apk del curl libcurl \
     && pip install --no-cache-dir --upgrade pip
 
 # Grab the pre-built app from the build-image. This way we don't have
@@ -47,7 +48,7 @@ COPY --from=build-image \
 
 COPY --from=build-image /tmp/dk/deploy/migrations/ /dk/lib/migrations/
 
-ENV PYTHONPATH=/dk/lib/python3.12/site-packages
+ENV PYTHONPATH=/dk/lib/python3.13/site-packages
 ENV PATH=${PATH}:/dk/bin
 
 RUN addgroup -S observability && adduser -S observability -G observability

pyproject.toml

@@ -14,9 +14,9 @@ classifiers = [
     "Intended Audience :: Developers",
     "Operating System :: OS Independent",
     "Programming Language :: Python",
-    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
 ]
-requires-python = ">=3.12"
+requires-python = ">=3.13"
 
 dependencies = [
     "arrow~=1.2.2",
@@ -25,17 +25,17 @@ dependencies = [
     "APScheduler~=3.10.0",
     "blinker~=1.9.0",
     "boltons~=23.0.0",
-    "confluent-kafka==2.4.0",
+    "confluent-kafka~=2.6.0",
     "cryptography~=46.0.5",
     "flask~=3.1.0",
     "gunicorn~=23.0.0",
     "log-color==2.0.0",
     "Marshmallow-Peewee~=3.4.3",
     "marshmallow~=3.26.2",
     "marshmallow-union==0.1.15.post1",
-    "msgpack==1.0.4",
+    "msgpack~=1.1.0",
     "oauthlib~=3.2",
-    "peewee~=3.16.0",
+    "peewee~=3.17.0",
     "PyJWT~=2.4",
     "PyMySQL==1.1.1",
     "pybars3~=0.9.7",
@@ -122,7 +122,7 @@ filterwarnings = [
 # for an explanation of their functionality.
 # WARNING: When changing mypy configurations, be sure to test them after removing your .mypy_cache
 [tool.mypy]
-python_version = "3.12"
+python_version = "3.13"
 check_untyped_defs = true
 disallow_untyped_decorators = true
 disallow_untyped_defs = true
@@ -249,7 +249,7 @@ module = "pybars"
 ignore_missing_imports = true
 
 [tool.ruff]
-target-version = "py310"
+target-version = "py313"
 line-length = 120
 
 [tool.ruff.lint]